CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure.
Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated.
                
            Metrics
Affected Vendors & Products
References
        History
                    Fri, 11 Oct 2024 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Weaknesses | CWE-276 | 
Mon, 19 Aug 2024 14:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Weaknesses | CWE-200 | 
Mon, 19 Aug 2024 14:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Weaknesses | CWE-863 | 
Mon, 12 Aug 2024 19:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Apache Apache cloudstack | |
| Weaknesses | CWE-276 | |
| CPEs | cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:* | |
| Vendors & Products | Apache Apache cloudstack | |
| Metrics | cvssV3_1 
 | cvssV3_1 
 | 
Wed, 07 Aug 2024 20:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | cvssV3_1 
 | 
Wed, 07 Aug 2024 19:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| References |  | 
Wed, 07 Aug 2024 07:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to an access permission validation issue that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment, including that of a root admin. An attacker who has domain admin access can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. Users are recommended to upgrade to Apache CloudStack 4.18.2.3 or 4.19.1.1, or later, which addresses this issue. Additionally, all account-user API and secret keys should be regenerated. | |
| Title | Apache CloudStack: User Key Exposure to Domain Admins | |
| Weaknesses | CWE-200 | |
| References |  | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: apache
Published: 2024-08-07T07:17:08.811Z
Updated: 2024-09-03T19:58:27.161Z
Reserved: 2024-07-29T11:57:03.344Z
Link: CVE-2024-42062
 Vulnrichment
                        Vulnrichment
                    Updated: 2024-08-07T08:03:17.884Z
 NVD
                        NVD
                    Status : Modified
Published: 2024-08-07T08:16:12.250
Modified: 2024-11-21T09:33:30.597
Link: CVE-2024-42062
 Redhat
                        Redhat
                    No data.